Opinion: Microsoft’s Recall Feature Is A Total Security Nightmare, And Nobody Should Use It

With the announcement of Copilot+ PCs last month, Microsoft has also unveiled a new featuring coming later this year to AI-capable PCs, and it’s called “Recall”. Since then, people has decried the feature for being what is effectively a built-in spyware, and even security experts have called it a built-in “Trojan”, a security and privacy disaster waiting to happen.

In this blog, let me get you up to speed on what exactly is this highly-controversial feature, and why I’m here to tell you that you should never use it.

Recall? What’s That?

According to Microsoft, Recall is a much more powerful version of search in Windows – it works by taking screenshots of your PC’s content once every few seconds, which gets analyzed by your PC’s onboard NPU (Neural Processing Unit), and you can find it later via keywords like “a PowerPoint presentation with a slide in a red background”, to name an example. All the screenshots will be stored on-device and be encrypted, meaning on paper nobody will be able to take a peek on the data inside. Emphasize “on paper” here, which we’ll delve into later.

This feature will be available to all qualified Copilot+ PCs, and to qualify for one, a system must feature 16GB of RAM, 256GB of SSD, and a processor featuring NPU with more than 40 TOPS of compute power. Currently, only Qualcomm’s new Snapdragon X Elite / X Plus SoCs are qualified for this segment, but both Intel and AMD will soon follow with Lunar Lake and Strix Point (Zen 5) processors respectively, later this year.

Plenty Of Strings Attached

However, there are a few strings attached that Microsoft wasn’t very keen to advertise on. For one, it’ll occupy at least 25GB of disk space (around 3 months’ worth of images). To give you a idea, that’s roughly 10% of 256GB SSD – the minimum requirement for Copilot+ PCs – lost to this feature alone. A Windows installation itself already takes some 40GB away from the disk, which leaves you with a lot less storage available when this feature is turned on.

The biggest issue raised by everyone on the Internet comes down to how Recall deals with sensitive information. To put it simply: it doesn’t. Microsoft says Recall is incapable of distinguishing sensitive information such as passwords and IDs, and users are required to manually turn off Recall temporarily if the content on-screen contains sensitive information.

From a user experience perspective, this is certainly not something everyone will remember doing every time they needs to access banking websites, which means it’s only a matter of time before something slips in by accident. While the company says you can delete certain snapshots, not everyone is going to sift through possibly thousands of snapshots and pinpoint the one they need to delete after the fact – it’s just plain unintuitive to do so.

At one point, Microsoft even said this feature will be turned on by default, but the company has recently backtracked due to huge security concerns from users and security experts alike. The company has since promised stronger security, changed its policy to opt-in instead of opt-out, as well as mandating Windows Hello to enable the feature.

This Is Hacker’s Heaven

Before we talk about trust issues pertaining Microsoft as a company, let’s talk cybersecurity in general. There is no magic bullet here – cybersecurity is an eternal game of cat-and-mouse, and it’s constantly a race between threat actors and security firms to attack and defend, while all the PCs in the world is their battlefield. There is no such thing as “unbreakable” or “unhackable” – just ask NVIDIA about the LHR GPUs.

In cybersecurity (or security in general), there’s one doctrine called “security through obscurity“: if bad actors thinks something is not worth the effort, they will not bother. This is why it is commonly believed that macOS and Linux are safer than Windows – there just isn’t enough users on those platforms for hackers to care, and it’s also why the Wannacry ransomware attack has mostly targeted Windows systems back in 2017.

The presence of Recall poses a serious problem in this case. Since Recall puts all snapshots on one spot, its inherently a data goldmine for hackers: all your sensitive data is now in one place, ready to be siphoned away! Forget phishing attacks, the presence of Recall will lure hackers into concentrating all their firepower against whatever encryption Microsoft uses for this feature, because remember – nothing is unbreakable. All it takes is an exploit, a wrong switch, or a simple social engineering attack (with the help of AI too, now that we’re in 2024).

In fact, tools has been created already to extract the data Recall uses, and it’s developed by cybersecurity researcher Alexander Hagenah dubbed “TotalRecall“. Another security researcher, Kevin Beumont (also an ex-Microsoft employee) has wrote in a blog that all it takes is just “two lines of code” to steal data from Recall. I recommend you to read the blog which has simplified the whole ordeal into a few straightforward Q&As that a regular Joe should understand just enough to get the idea.

 

Microsoft’s AI Endgame

Let’s take a step back and ask ourselves: why is Microsoft so aggressive at pushing AI at every chance it gets? The simple fact is, competition is very much heating up in this space, and OpenAI being the golden hen of Microsoft’s AI efforts (despite Microsoft having no direct ownership of the organization) meant it’s not going to lose this chance of locking users into its own AI-powered ecosystem. Apple has long proven the sheer power of ecosystem, and Microsoft wants to replicate that through AI.

So, it’s pretty obvious that the easiest way to introduce AI to the masses is by tying up AI in every service it offers. Windows 11, Office 365, Bing, Outlook, you name it – the company even reversed its decision of ending Windows 10 feature support just to add Copilot AI into Windows 10 systems, which still holds as much as 70% of the Windows market share today (while Windows 11 is just occupying roughly one-quarter of the market).

From the outside, the company is facing stiff competition from Google and Meta – both of which has introduced its implementation of AI chatbots, search engines, and all kinds of feature with AI added into the mix. Apple reportedly will join this race later this year, although we’ll have to wait for a bit to know more (knowing Apple, it’s likely designed for its devices only).

It’s A Matter Of Trust – Which Microsoft No Longer Has

So, it all boils down to this question: do you trust Microsoft?

The company’s track record of security is well-known at this point, and it’s not a good one. Security problems aside, Microsoft has been known for many egregious attempts at upselling features such as Bing, Edge, OneDrive, which infuriate Windows 11 users; some of the tactics used has been borderline malware-like.

While Microsoft now promises the Recall feature will be opt-in, how long until it reverses the decision when it sees low user uptake? When would be the next time it turns on the feature by accident, just like Windows 10’s Windows Update fiasco? Implementing a feature like Recall demands a huge amount of trust towards Microsoft as a company, and the trust had been slowly eroded over the years.

When the tech industry is trying to protect user’s privacy (whether out of good faith or as a result of legislation), the Recall feature feels like a complete 180 to that, despite Microsoft’s promises. Even if the role is changed and Apple or Google is the one introducing the feature today, I’m sure it’ll receive just as much criticism – the truth is, security is as strong as its weak link, and a feature like Recall is something that, in my opinion, a risk simply too big to accept no matter how you put it.